Western Digital MyBook Drive Lock Encryption – Failure and Recovery

Western Digital MyBook Drive Lock Encryption – Failure and Recovery

Western Digital MyBook Elite external hard drives use hardware-based encryption chips to (optionally) encrypt drives using 256-bit encryption. This is OK for security, but horrible for data recovery. It is impossible to access (decrypt) the drive if the enclosure circuit board fails, even if the drive itself is fine. For this reason, I highly recommend not using the hardware-based encryption unless you have a solid off-site backup plan, such as Backblaze.

What if the Enclosure Fails?

If you’ve enabled the hardware-based encryption, the data on the drive is completely inaccessible without the encryption chip in the Western Digital enclosure. So a simple failure of the USB or power connector can mean your data is gone. Even if the drive is removed from the enclosure and connected directly to a computer, it will be unreadable because the hardware encryption chip is missing.

I’ve read that the drive may be readable in an identical Western Digital enclosure, because the encryption key is stored on the drive itself and not within the chip. Buying a new MyBook Elite enclosure, removing the new drive, and installing your old drive may allow for data recovery.

If the USB connector or power supply connector fails and encryption is enabled, your best option may be to repair the USB connector on the enclosure/board. A local TV repair shop or technical school is where I would start looking for help. You probably just need the connector soldered back on to the board. See this article for instructions on how to open the case and remove the drive/circuit board.

If other components on the board itself fail, your only chance of recovering the data is to remove the encryption chip from the failed board and transplant it to the board from an identical working Western Digital enclosure – this is not a cheap or easy thing to do. it’s much more difficult to de-solder and re-solder chips than it is USB or Power connectors.

What if the Drive Itself Fails?

If the drive itself has failed, and not the enclosure/circuit board, you must perform data recovery on the drive and enclosure as a pair. You will first need to decrypt the drive using the Western Digital utility and then use something like Runtime.org GetDataBack data recovery software (free demo available.) If you send the drive to a data recovery company, be sure to tell them the drive is hardware encrypted and send both the enclosure and the drive.

Great info from commenter Joze Volf:

Major problem with these drives is also the fact that when integrated sata drive (usually low quality like wd green) starts developing bad sectors, the usb bridge doesn’t handle it well. It simply freezes. So you can not get good data because the drive freezes after trying to access data on bad sector area. I can confirm that you can remove the drive from usb/encryption bridge, connect it directly to sata on mainboard (it handles bad sectors much easier), sector clone it to a new/good drives using a tool like ddrescue, connect the new drive back to usb/encryption bridge and your data is accessible. You will loose the bad sector data but you could at least access all other data/disk area. Well, if your file system metadata hasn’t been on bad sectors areas. If, then you should use some recovery programs afterwards.

A Better Alternative to Hardware Encryption

I would never use hardware-based encryption with an external hard drive. Hardware Encryption is somewhat more secure than software-based encryption because both the password and the encryption chip are needed to decrypt the drive. But for external hard drives, the encryption chip and drive are in the same enclosure. If a thief steals it, they get both the chip and drive.

If you do want to encrypt your drive, there are alternatives. For external hard drives, it’s every bit as secure as the hardware encryption and, if the circuit board or enclosure fails, you can remove the drive and attach it to a computer/different enclosure and still decrypt and access the data. See this article for various software encryption options.

Protect your data with offsite backups:

If you encrypt your drive, data recovery is even more difficult, so I strongly recommend using an online backup service. So if your external drive fails, or in case of a catastrophic event (fire, theft), there is still a secure copy of your data. I highly recommend CrashPlan from Code 42, which gives unlimited online backup space for $3.96/month (and free backups between you and your friends/family computers.)

41 Comments

One comment, one question:

1) TrueCrypt doesn’t seem any more secure that WD hardware encryption, because the same thief who stole an encrypted WD drive and starts guessing passwords could do the same with a TrueCrypt protected drive. I agree that data recovery is more difficult though

2) I own many WD drives, and today was really surprised when I took an unencrypted drive and enabled encryption. I expected to be prompted that all my data would be erased, but I wasn’t. Once I set a password, I unmounted the drive, and sure enough, in order to mount it again I needed the password… however the pre-existing data on the drive could not be encrypted since I wrote it all when the drive had no encryption set. So what does this mean? That each time I write data in the future onto the drive, that data is encrypted, but the prior data is not? If someone removed the drive from its enclosure and put it into another enclosure couldn’t they defeat the password lock and read all my data; since it was originally written onto the drive unencrypted?

You were surprised because the encryption depends on a random set of 32 bytes created at initialization. These 32 bytes are protected behind a default “key” which is the empty key. So the drive is always encrypted. When you change the password, the only thing that is re-encrypted is the random 32 bytes. Depending on the hardware you use, this encrypted data may or may not be stored on the drive (some enclosures have a flash that stores the data… this can REALLY screw you as the OP stated. You need to get the key back out of the flash and put it into a new one in order to decrypt the drive again). However, the My Passport series of drives stores the key material on the drive itself. So if the enclosure goes bad, using another enclosure should be an option.

Not really. WD did things right. Unless of course you don’t have a My Book, but have a My Passport. The OP is right in the sense that something like Truecrypt puts all of the security in your hands. If anything happens, you can move your data and still recover it with your password. You are basically left guessing the key (not your password).

What if the the tech botches the repair on the drive? I had a tech resolder the usb and aside the drive powering up, thats it. I noticed on ebay there are some usb cards with the same serial #. Could I order one of those to recover the data off the drive?

Mike, not sure why it won’t decrypt in the new enclosure. Hopefully someone else with give some more details.

The only thing I can think to do is to test with a blank drive. Install it in the old enclosure and format/copy a few files over. Then move it to the new enclosure and see if the files are accessible. That way, you validate the recovery process. If it works, it could be that the drive has started to fail and the encryption key isn’t accessible.

If I have never set a password or encryption on the 3tb drive, will the data on it still need decryption when the bare drive is connected to a computer? I need the data off a drive and am wondering if I need to buy another 3tb drive to exchange the drives or get the circuit board from the new one.

EM: Unfortunately, the drive is probably encrypted even if you didn’t set a password. You can attach it to a computer to confirm, but all of the newer Western Digital enclosures appear to encrypt the drives automatically with an internal chip. You will most likely need to put the drive into an identical Western Digital enclosure to recover the data.

A new control board is not enough. Not only does the board S/N have to match right down to the Rev block, but then you have to switch the u2 chip from the patient to the new donor, because the chip and HDD are paired to each other; that’s where the key to accessing the drive resides.

I unfortunately don’t have any spare sata drives to test your proposal out. I received a replacement card via ebay which had the same results as the original card. Prior to this happening, I was able to get all the sentimental data off the drive, so all that remained was files for streaming to the consoles.
lesson learned – do not buy name branded external storage units! Just build your own.

I have WD My Book Elite 1 Tb and I forget my password now what should I do?I have very important data in.I dont want to loose and I dont want to pay too much to recover this data.Is there any suggestion? Thanks.

Just found this article, and it has a lot of usefull information. However, I would like to add that WD hardware encryption issues has been one of the most reoccurring problems in data recovery industry. When drive does not mount? how does one about go about recovery with software? Mainly drives do not mount either due to bad sectors or firmware corruption, so how do we address these issues on 2.5″ encrypted drives with with proprietary usb 2.0 or 3.0? We found a solution for that and it involves converting these USB drives into SATA by using SATA boards that have identical CPU. Converted drive can either be imaged or fixed if firmware needs to be manipulated. Decryption part can be done by using 3.5″ usb bridge adapter. I hope that this addition post will help someone to get their data back.

My My Book crashed 2 months ago. My computer does not even detect the drive or if it does it only shows empty folders.
I tried buying another one to replace the usb board and still no luck. When I tried to put together the replaced device now it wont detect it and what is even worse i dont hear the motor of the drive.
I see the LED light flashing every now and then. Is this what you guys call the hardware encription and therefore not allowing me to see the contents?

Sounds like i have to send the HD to the recovery center and have to fork out the $1K+ for get my family pictures back.

Hi, I am just enquiring about my “Western Digital” My Book Essential 1TB external harddrive.
I am unable to view any of the data on the device. Under computer management it says “unallocated” with 931.50GB data
and in device manager it appears when i plug the device into my PC via USB. Its spinning fine and
sounds OK and there is no burning smell.

Major problem with these drives is also the fact that when integrated sata drive (usually low quality like wd green) starts developing bad sectors, the usb bridge doesn’t handle it well. It simply freezes. So you can not get good data because the drive freezes after trying to access data on bad sector area. I can confirm that you can remove the drive from usb/encryption bridge, connect it directly to sata on mainboard (it handles bad sectors much easier), sector clone it to a new/good drives using a tool like ddrescue, connect the new drive back to usb/encryption bridge and your data is accessible. You will loose the bad sector data but you could at least access all other data/disk area. Well, if your file system metadata hasn’t been on bad sectors areas. If, then you should use some recovery programs afterwards.

Hey Carlton Greet info! I didn’t know about the encryption and quick formatted my drive in a generic enclosure! The USB connector broke. Is it possible that if i fix the USB, that my data will work normal, since I formatted it in a generic enclosure without it going through the encryption chip??

Hey, thanks for responding so fast! I tried that Carlton, but It shows as unallocated space in the generic, because of the default encryption. So because of that I quick formatted, to get a drive letter. I have not used it since.

I want to know now that if I fix the broken USB, can I retrieve my data, even though I quick formatted (outside) of the encryption chip on the hardware?

Ive read that to format a WD encrypted drive, you have to go through the original hardware chip. Thats what I am hoping.

Nice help spot you have here, very useful and in some cases, life saving!

After reading all of the other users comments, I have one problem of my own, maybe I´m missing something here,

This also involves a Western Digital My Book Essential (2 TB).
At the time the problem was solved but this is just to make you acquainted with the situation…

My HDD stopped all of a sudden. Something told me it was not a problem with the drive itself. For me, the closure was not receiving any electricity. Did my research. The problem was with the controller board, which is also the one to blame for encryption I assumed. Ordered a new one, the HDD works like a charm.

But I want to get rid of the encryption nonsense. So… after moving my data to a safe place, can I format this 2 TB Western Digital My Book Essential to a generic casing, generic everything! So I can use it as a standard HDD and use it in a external casing? If possible, should I just use the normal Disk Management Tool from Windows?

One thing should be made clearer, I think, when converting a HW encrypted drive to a standard one in a generic enclosure.

As was mentioned in a comment here, a “Quick Erase” didn’t seem to work – resulting in a small drive. This is because a “Quick Erase” only erases the data found within the confines of the existing data structures of the drive – like a massive “delete everything everywhere” operation.

However, with most hardware level encryption systems, everything – including the low level partition and disk structures – is scrambled. So a “Quick Erase” might be dumbfounded with the encryption drive. Perhaps WD encrypted drives provide a small fully non-encrypted volume for their “Virtual CD” volume. That would explain why one user’s Quick Erase produces a very small volume. That is, the Quick Erase may have only worked upon the only visible volume – the VCD one.

Here’s my general work flow for how I’d convert a HW encrypted drive to a completely standard, non-encrypted one:

1) Backup any data already on the encrypted drive to another device.
2) Remove the drive from the WD enclosure
3) Mount drive in a generic USB 3 (or other desired connector) enclosure
4) Delete whatever partitions your favorite partition manager sees
5) If your PM has the function (doubtful), do a low level format*
7) Allocate the formatted space into 1 or more partitions, as desired
8) Reformat and Initialize the partition(s) to the desired type, Mac, Win, etc.
9) You should now have the entire drive’s space generically available

* A “low level format” is a very special hardware level format that works at the extreme lowest level of a drive. It lays down the binary tracks of the media which are then used by higher level functions like partition managers and regular format operations. Such a format is sometimes available as a function within the BIOS of the drive which you control with a special program that accesses the drive’s BIOS functions. It also takes a VERY LONG TIME – like many hours or a day for large drives. Assuming the drives used in WD HW encrypted drives have the same structure as regular drives, they probably have such a low level format routine in their BIOS. If you can find the software, it would not be unwise to use to truly ensure the drive is completely reformatted at the very lowest level. But chances are it probably does not need such an intensive operation.

Damn! Carlton, I am completely choked with WD. I went through a similar diagnostic just now with a 2 TB MyBook Essential on a Yosemite iMac. The drive just stopped ‘existing’. I pulled the drive into a generic enclosure, and although the drive mounted, it could not be read. The drive was running but showed as empty with zero data. A Deep Scan with Data Rescue 3 found nothing but various forms of .Gzip archives. The .gzips could not be opened and only generated further compressed files. I suspected, thanks to your clues here and elsewhere, the real problem was a MyBook controller failure. Luckily, I have an identical MyBook drive. I just put the known good controller on the ‘dead’ drive, and BOOM. Normal mount, all data is there.

So. WD has created the equivalent of a ‘terminator’ drive. The controller craps out, and the data is auto-encrypted without my knowledge, and cannot be ‘seen’ by anything but a WD controller. What B.S. I’m going to get my data off here ASAP and never use WD drives again!

I have the same disk, same problem but without the second controller, unfortunately.
trying to find a used one on ebay.
is it possible that nobody figured out a way to decrypt it?
the encription seems trivial, looking in the MBR, where zeroes are supposed to be there is a repetitive list of binary data, same pattern.
I tried to xor it but without success

I haven’t seen any details of breaking the encryption. I wouldn’t be surprised if it were extremely simple to break. As I see it, the primary purpose of the encryption is not security but rather keeping external drives from being easily converted to internal drives – protecting those two separate pricing structures.

Carlton, of course, we find all this good pertinent information, after the fact and hours of research, but thank you for all the great info. I am at the point, where I extracted a 4TB Mybook, from the enclosure and jumped through many hoops, trying to get it to be recognized. After trying this and that, I was loosing confidence that I would ever see my data again. It wasn’t until I reattached the bridge card outside of the housing, that I could see all was well. Just confused on one point, if, after getting my data off, I reformat the drive attached via SATA as now an internal drive, would that rid the drive of the need for the USB to SATA bridge?

Hi Carlton, how do i know if I have enabled the hardware encryption ? I have used a WD Mybook Essential 3TB since 2014 without installing any of the WD softwares which came along and likewise dont remember setting up any encryption using the provided softwares. Does it mean that it is encryption free ? I connected my laptop power supply to the ext.hdd and damaged the board.

Good morning Carlton! Great blog going on here. I made the mistake of purchasing a 1Tb My Book which worked great for 15 months. Then, apparently the encryption board went out. I tried buying a new drive to switch the encryption boards and could not find the same serial number. So, no data recovery. Since I had the new drive I went ahead and used it to store the contents of my HD which included all my family pics for the past 30 years. Big mistake. Second drive failed in 13 months. By this time I had purchased a 3 Tb drive to expand my storage area, but since I have been burned by 2 My Books I want to just reformat the 3 Tb drive and use it without the encryption board. However, anytime that I try to format the drive I’m told by the computer that there is no media on that drive. I have tried to use computer management to edit the register for that drive from 0 to 2, as I had read in a post somewhere, but that didn’t help. Any suggestions on how to reformat the encrypted drive without the encryption board being installed?
Thanks,
Rick

To my knowledge, using third-party drives is not possible. I definitely would not recommend it due to the encryption problems. As cheap as generic external enclosures are, I recommend using them instead.

I have a similar problem, with two (1TB&2TB)My Book Essential drives. I am fed up of this PCB failure,only less than 6 months service. I now want to just have the drives docked into dock stations.But cannot access them. Computer Manager indicates the drive as unallocated. Is there some software to format wholly the hardware encrypted drive, I don’t mind losing the data.Can the jumper setting also aid in resetting just like we would reset the bios by adjusting the jumper settings in computer motherboard.

Hardware encryption on the WD MyBook is *NOT* optional. I had the 2TB one nearly full when the USB bridge failed. I had never once willingly encrypted the drive. I did not set a password or key. I plugged the drive into my computer when I received it and began storing data. That’s it. Despite this, the drive was encrypted and unreadable in any other machine/enclosure. For this reason I have never and will never purchase a WD external drive again.